Tony Gee - Reverse Engineering Hardware on DVRs and sex toys

hello perfect hi everybody I didn't and so thank you very much for coming along seems like everyone kind of came along it's quite cool um so a little bit about Who I am and and what we're about so first and foremost I'm not pen can unfortunately can make it so I've I've come along and will well Julie deliver hopefully something you'll they would really enjoy and but we're pentas partners and we do lots of lots of you know typical pen testing but obviously I'm sure you've you've heard of the research we do I think last year I was here I was talking about the Mitsubishi Outlander and also started talking a little bit about me and the ransomware

on the thermostat but this year it's a little bit different this year I'm gonna DVRs and how did looking at DVRs we bought loads and loads of them primarily just to kind of understand whether I missed anything and actually had some really cool things that we found out of it and actually some quite scary things as well but then also you probably saw our article kind of crashed our website talking about a dildo and so we covered that one a little bit later on and yeah but anyway I do kind of have to give a little bit of a warning because we are talking about dildos and Boris dick DVRs so so yeah bearing that in mind and but

before we do any of that I think it's kind of quite helpful I guess to kind of go over a little bit of a primer as to what ia T is um it's kind of this abstract thing that everyone kind of everyone knows about it but no one kind of knows what it is in detail really and but I guess for our purposes you know it's it's a network of connected devices that are not necessarily a general-purpose computer one thing that's really interesting is it doesn't need to be internet connected for it to be IOT it also doesn't even need to be smart it can be a very dumb device and it certainly doesn't need to rely on any

cloud-based service for it to work effectively but one thing that is very clear though IOT is really really different this is an IAT cop-out payment terminal and we're asked to pen test this organization and we asked to look look at this device and and what this device had is you know it's a standard payment terminal but it had a GPIO GSM or J I think it's three J actually used network connection to the Internet so it could do the card processing and it was in a public place but someone hadn't kind of appreciated that these public devices would live in a public place and so there's just an rj45 network connector straight into the back of it

which was directly onto the corporate land and so it took a second to you know own the corporate network front from that that the other thing is that IIT has very little use of feedback this is obviously a Phillips hue bridge if anyone's got those any what Phillips hue I have really cool I spent like what did I spend I spent about 120 pounds or all of these lights for my house house and then my wife was just like it's really annoying using the app come on I have a switch so I've spent another 20 pounds on a phillyd dimmer switch so now what I've done is I've spent 120 pounds to turn my lights on and off for a switch

it's a bit dumb really right but anyway but this device this is obviously the the bridge and the bridge has got nothing on it it's just got one button in three lights everything is done from the mobile app so there's nothing really for end users to interact with the other thing with IOT is you know it's not just us taking technology folks who are using it also now non-technical people the users are typically very much non-technical people but then you get into the rounds as the installers and when you think about things like the nest and the high for example those are being installed by people from traditional trades electricians plumbers gas engineers they're not technologists they aren't

going to understand it and a lot of cases they don't even come with the tools to check the device works literally all they do is they plug it in and expect it to work so they have no ability to test it that something bad has happened on that device but one thing is absolutely certain with is that is incredibly complex I'd say we've got this naive view of what I eighty is yeah you've got this one device this single device and it just connects directly to the Internet and so if you want to compromise it as an attacker you've kind of got two places you need to compromise you've got the device itself and then the cloud-based service

the reality is realistic view is yes you've still got your device and yes you've still got your cloud-based server but then you've got users of the device then you've got your network segments because let's be honest see on the internet it's not a direct point-to-point communication there are Network segments in place and there's files and network devices in place of there and so these are more things that are going into this then of course we've got other things on the network as well or on the same network as this IOT device we've then got cloud-based users who are connecting directly to the cloud so from the internet directly to this cloud service and then using that cloud

service to control the device and we've got administrators if you applied network or perhaps their network services on the on on the network so the Reuters and the switches along the way and so you can see there's lots and lots of complicated systems and not only that there's backup services and the administrators of the owner of the company so let's say you've order a cloud connected device not only is there the administrators have to provide the vendor of that device but is also the Amazon Web Services administrators loads of different people so it's an attack you can target lots of different places you can target in turn inside the network any of the devices inside you

can target any cloud base networks you can target the the IOT user from the internet of a man-in-the-middle position then perhaps you could target the actual administrators of the network you could also look to potentially target the administrators of the vendor of the product and then also let's not forget we've got nation-states who've got control over a net and so you know those switches and there is peas in between all of these different systems can also intercept the traffic so when you start to think about that you've got a lot of really really complex systems and all of complex areas that you can actually look at in this seemingly simplistic system that is IOT which makes it great from our

perspective because quite often you'll find that devices are still really really stupid and so I thought what I'd do is I'd talk to you about how Mariah's missed its mark in my opinion you know there's a lot of things that Mirai talked about and it was pretty rubbish but he missed out on a lot of really interesting points and take this mmv power DVR now this DVD I was coming in buy it now it's a couple of years old now it's been around for such a long time but it is really poor it's one of the worst devices we've actually looked at at a basic level anybody can hack this device there's around about 32,000

of them on show dancing finding really really easily finding one showdown probably so when you authenticate to it it's got it yeah it's got a web interface most DVRs have got web interfaces you connecting problem with this device is you don't actually need to provide any authentication credentials you just need to have two cookies DVI user DVR password doesn't matter what the value is as long as you got those cookies you'll Center gate to that device which is like what the hell these things are on the internet the public internet anybody can connect to these devices just by having two actual cookies but we haven't reached the bottom with this device we're a long way

from reaching the bottom of this device this device is so bad the web interface runs as root as most DVR state most even most IOT devices in general run as root and this particularly device the web interface runs as root but to make it a little bit worse what they've decided to do is allow the shell command from the web interface so you can just run a shell from the web interface by default this has built into their firmware and of course these are on the internet you just need those two cookies and you've got yourself shell access to this device which is also conveniently sat on the inside over the firewall through port forwarding for

example so you've now got a network implant just by providing two cookies it's ridiculous absolutely ridiculous but again we have not reached a bottom with this device there is a little bit worse than that this device is so bad that the developer of it actually coded in their own email address and so every 30 seconds or so it sends their own sends a picture of the CCTV camera images to their email address so it's completely voyeuristic so whatever the CCTV is seeing the developers are seeing as well I think their email address kind of got destroyed in the end because there's so much been sent to them and we decided we'd just send them button Ming

because a frame by frame of the opening credits which hopefully destroyed their email account and I think in the end now they have actually kind of her close to dying but it's just ridiculous I was that possible in this day and age a developer can do that anyway you kind I said I'll talk about Murray so so I kind of feel I ought to so a little kind of a primer everyone knows about port forwarding but I kind of want to explain it anyway so obviously when we look at a port forwarding device let's imagine you know this is our IAT device we've got the firewall we'll get other devices on the network and we've got an resis so as

a normal user you connect through the port forwarded port to your to the actual device on the on your internal network everything's great right as an attacker I want to target that box of course I can't target it because there's a firewall in the play in the way the great thing about port folding is that I can just target that IOT device through that very same port the legitimate user uses and then if I can compromise that device I can use that to compromise the other internal networks that's essentially what I did so Mariah obviously used port 24 22 and 23 so tell the NSA chat right I think that's right and and and so those were port forwarded

to the internet bizarrely from no reason I could under stand but they're primarily using UPnP so that's automatically port forwarded to the internet and so attackers were using those two then compromised them using default credentials now the problem with mariah's as you aware there's very little that the mgesa could do to fix it and let's be honest it can't really be all the team because why if I still works it does what they want it to do so what if it's part of a botnet they can still see their cameras and they can still do what they want to do on it there's an impacted device um but we kind of wanted to know what was

going on and and so I'd say we've all about thirty odd of these devices and me had a little look around to them and one thing is really interesting is we noticed a lot of them had a very similar user interface this kind of user interface up here it's all very similar and it's just kind of the web interface for any it's just like it's a bit odd really why are they all very much the same and these are all different brand names a lot of them were kind of cheap Chinese Branson it's pretty obvious right they are effectively being made from one standard image that they bought from a company and after a lot of

research we found out that companies called his wrong mine and John might have got a wicked wiki page on that on their website and what was really interesting is on that wiki page in details a thing called a make Pak now make Pak seem to be kind of a windows-based system that you would use to customize the Linux installation that they you'd then apply to the to the device and and so essentially customers would buy this make pack and by the the install create their install and then and then put that firmware onto the device itself and then of course the device they're then shipping I and that kind of um that makes sense now we can

kind of understand why they're all basically the same but remember we're Mariah obviously those huge amounts of press and vendors you know even the Chinese ones they're not that stupid they did kind of think we ought to do something here so they kind of tried to fix it and so what we're seeing now is vendors we're using the mate pack to to fix it to make the device is not vulnerable to Mirai and the way they did that is by disabling telnet and disabling SSH on them kind of makes sense right but the problem is we can re-enable it because they didn't kind of fix everything and so what happens when you port scan these devices for telling an

SSH you'll see obviously it's closed ah you're saying now if you scan all ports you'll note there's a port open called nine five two seven nine five two seven is a really cool port because it's used by the Sofia application Sofia application is from what I can understand is effectively application that runs the web server and runs everything on the device so we can kind of connect to that I thought what do is I'm trying to show you what that looks like so I've got I've got that some I just want to show you this is my device so over here unfortunately I'd say over here because it's no powering for that but and this is might I couldn't be

bothered to bring to bring the box with me because so let's just quickly try and telnet it's a device now it's not gonna work because we know tell this disabled on that right but we can connect to nine five two seven I'm interested me you don't really get any feedback but hardly if you enter on it then ask you for a username I was really cool because this severe application is running essentially the web application uses the same thief hot username the password which is admin I'm blank so then you get this kind of weird sort of severe shell but what's interesting is like well how do I access anything on here well if you

just type help tells you what you can do what's that all right let's have a look at that so that's really cool so now we're in kind of a weird shell that has no feedback at all um but we know the shell is pretty much running as root because most all we can assume is running as read because most of these devices run as read so we just grab a command because I can't be bothered

and it kind of does that not finding stuff which is a little bit weird and sometimes it works sometimes it doesn't so let's have a look and see if it names successfully works look at something I've got root access to the right well although it doesn't kind of look like root it is which is quite cool so you can yeah processes and you can I think the root password so you don't even need to brute-force the password I've got root access on that device now and what I've done is I've renamed pelmet so effectively this device is now vulnerable back again Sameer I which is pretty cool right I think so so I'm really kind of sucked though

because obviously it only works on telnet and like most network administrators of any kind of sense would would kind of disable telnet and ssh from the internet it's pretty logical most people would do that but these devices work primarily for people to be able to access them through a web interface or a tea most people rely that through the internet so we have a look at another do DVR which actually that one is the florian DVR and but I kind of moved around a bit in the presentation so we have a look at its flurry and DVR and what we found is through the web interface we found a remote code execution vulnerability which is really really cool and really

easy to exploit so it's around 800,000 of these on the internet just quick shirts of show down so that's quite a large botnet if you can compromise it and as I say you you port scanning you see port 80 is open and obviously a real time streaming protocol that's for the for the video stuff for you we're not bother about that and we know the credentials are admin a blank so default credentials in theory yes we could gain access to it but this is the interface so if you access it through Internet Explorer it it wants to install some crazy ActiveX which allows you to do a lot more customization but I don't so obviously you can see this very

little if I had a camera it would display the cameras in here so pretty basic interface you can't really do a lot certainly you don't have admin access to the device but if we at the login prompt find a really long post request to it what's happened is we crash the web interface shortly it'll just it will refuse to connect so we crash the web interface right that's right in essence we've caused the buffer overflow and so obviously I mean I haven't I'll be honest we haven't written any any proper code on it but essentially what we've got is a buffer overflow or remote code execution on the ability on that device we started looking at the registers disassociation

registers obviously I used couple days there so anyone does any a little bit of exploit that which I don't before you ask will understand you know hex 41 is capital a it's a great way to start kind of understanding where where things are registered in the registers and you can start to see that and then you can start to build your attack so ultimately from this point what we've got is we've got a remote code execution on that device or by obviously I haven't got a working exploit realistically here now of course yeah bit time we could get that but it doesn't mean that we can kind of do anything from this position which is

pretty cool right so one of the things we could do is if we use these devices we could yeah we could rien a Balma Rai but but actually we could do it in a much better way a much more aggressive way we could perhaps use Mirai to to knock malware texture kill switch for one cry offline because is he really gonna is that that Network really going to sustain 800,000 devices you know Mariah had 300,000 and they're not Facebook off the internet so I'd like to see them try really don't think they've have any success and so you could re in a B'Elanna cry quite easily with the botnet of this scale just through that

in that attack which is pretty cool but obviously what I'm more concerned about is we can actually compromise internal networks so I don't really care about DDoS I wanna care by more about its protecting customers networks and so you know we could very easily from that position have compromised their internal network I think yeah ultimately we could we could start stealing their data but remember of course these are calling the public Internet this is port forwarded by default to the internet so you can connect to any of these devices with this remote code execution vulnerability and compromising pretty cool so I don't really think IIT can kind of get much worse right except the kind of can and

that's where we kind of get into the realms of adult toys you should obviously what everyone came for right now we wanted to see DVRs you try to see sex toys isn't there and say I meet just quick actually I just quickly you need to flick over to my Wi-Fi access point for that I've always the demo is gonna fail see I proved it oh so I want to talk about this one I haven't bought all of the sex toys we've looked at we've kind of got a bit of a reputation now we're looking at all the sex toys Ken's walking around with a butt plug in his in his bag rich em yeah why when I went

through customs with this and I have to say I was when I was scanning my bag ons just like should I put my bag in hold I really don't want to have an all good conversation with someone why have you got this weird endoscope dildo in your bag and and so yeah I mean this is this is ridiculous it is completely pointless but you know what's really quite interesting is there's a massive market in in these types of devices teledildonics is actually a genuine term and interestingly and not that I researched pornhub much but interestingly pornhub are doing a lot of research into into teledildonics and and you know obviously male and female first as well and so you know it's becoming a

massive business for the porn industry and say whilst you know it's kind of amusing that yeah these devices exist it's actually a very serious side to it that you know compromise of these devices can lead to some very serious serious implications but but this back to this device so this device obviously it's a it's an endoscope kind of device so it's got a little camera on the end of it I'll show you in a second and and it streams that camera image to a mobile app so so you know people can see what's what's the deal they seeing at the end of it zolly this is the Wi-Fi access point so you connect to this Wi-Fi access point and

then you can view it and and so we had a kind of let's kind of try and understand a little bit by that because I will say it connects to it they tell you the password for the Wi-Fi access point but they don't tell you anything more than that you then you know I do is you connect to it and then you connect to use the mobile app but we kind of wanted to know what was going on now so one of the first places we look when we're trying to understand what's going on is of course the mobile application I'm sure a lot of you reverse-engineer mobile applications especially Android applications they're trivially easy to

do the tool that I personally prefer to use and once you grab the APK from from the device or from you know lazy like me APK peer and then once you grab that APK you can then really easily open it in the tool I like to use is Jade X it's just trivially easy it just works you don't need to do anything fancy with it I mean you can do used x2 jar if you want but it's a lot more effort I have to say and so just kind of have a look at the interface all right so let's let's have a look at the I'm sure you can all see that right now let me zoom

in a bit right so this is the app

so the first thing we notice when we look at the app this is a couple of its supposed to be on silent goodness sake oh I don't care so the first thing we notice when we look at the app though is that some weird things down here sky Viper winged cam doesn't kind of sound like a like a deal though does it that's a bit weird right what's really interesting is this application or this this this mobile app is built using a loaded drone software which is nice basically this device is a drone and which is a she'll be wicked really and and so it's got all of the mobile app in there and what's quite funny is we

contacted the vendor after we found the vulnerabilities and they were like yeah they just came completely blase about it they said yeah you know the developer we use they probably must have repurposed a load of their drawing software and so it's just like whoa and obviously in contact this guy VIPRE an aerial I have no idea what's going on but yeah whatever fair enough we the same developer must have used it it's just like but anyway but because of that it loads of functionality in the mobile app that doesn't really need to be there and also we kind of find pointers in in the mobile app to how we can authenticate to the actual system and that's really easy

so it's in the main and it's main the main section of the app and what we can see is that we've got our IP address right now I really easily but the credentials for it again admin blank everyone uses admin blank I have no idea so to log on to the interface we just need to use admin

now I've already looked in anyway you get my point but the bit that I want to show you first and foremost is that we can we can do a couple of things firstly we can view the actual stream and so that's quite cool so you hit on that and actually shows you shows you the camera and so this is the actual camera so what Canon and an Android do is they put it in their mouth I don't I don't like the idea of that I have to say I I like to stick in my hand because you know that that looks better doesn't it and and so and so yeah yeah I mean essence it is an

endoscope so everything's like really zoomed in understandably you wouldn't want something zoom back considering its use case but yeah you can it's really cool on a keep it actually kind of ideal and so first things first you can kind of see someone's camera so what's that's quite cool so the default password for the Sai Meyers is triple-a sorry eight eight should be same so if you ever in the hotel and you happen to see a Wi-Fi access point pop up called Syme I just try to connect to it usually an app in their eight might have an interesting video a video to watch yeah yeah maybe not maybe not what else can we do from

in here you'll know right up in the top left hand corner that's good you'll see so I called device management so obviously you can kind of see looking like your your access point you would typically have at home and so we've got loads of cool things we can do in here see we can we can go into things like the basic settings and change names and things like that going to use the settings and change the user ID for it if you want go to the wireless settings which if you are if you have got one of these I probably would recommend you do that and because obviously anyone can connect with the passcode which I told

you about um and so of course you can do that but then there's other cool things you can do record settings you can enable recording an interest if we're going through the Advanced Settings you can in even enable record settings and then send it

there's a setting somewhere and I can't find it night but essentially you can enable the recording and then you can enable it to record to your own NFS share so someone when you find someone in a hotel using one of these you set your own NFS share up and then you can start streaming it off to you or your own camera for for a computer for viewing later that's what you want to do and so there's loads of cool stuff but yeah it's a web interface right and so many developers of these web interface you see all the time how many Reuters do we see time and time again are being compromised because of really simple

things like a command injection and so we spent a lot of time looking through this device and and trying to find vulnerabilities in it that would ultimately allow us root access to device and and so we thought well how can we get root access on this build oh and we look through all of the settings and say there's loads of settings in there and is there a lot right place and and you can see we've got the network file share stuff which is which is cool we're talking about and but also what we found is lots of other functionality we can we can enable the device to start recording on a particular when it starts detecting

motion which is a bit weird remember this is a drain but think of it from a drain point of view a drone camera has that functionality right and this is basically doing the same thing and so what we can do with the device is we can start looking for command injection but first things first to kind of look for command injection wow that's a lot of effort quite frankly it'd be a lot easier if we could just get the firmware right and what a lot of people do is they provide the firmware on their website and so we try to kind of identify who owns this particular device and whether we can get some family

because it's not yes I'm I just the vendor of it and and the mag effectively pointed back to Shenzhen recan which Chinese firm and and yeah we searched on this site and we found pretty much nothing on their site in terms of firmware but we did find some documentation which kind of indicated that we the cgi command and then we could enable telnet which is pretty cool right so you then get telnet on the device so you know we built her we brought a telnet but the problem we've got is we didn't know what the password was and you know it wasn't a simple password that we could just kind of yes we tried we tried

brute forcing it and the reality is we didn't really get very far with the brute force password wasn't in our dictionary so and we couldn't find the firmware so so the only thing really for us to do is to you know to peel back the foreskin so to speak and we took it apart and so we took it all apart and you know this is a various stages of taking the partners and then we hooked it up to a number of devices and we were able to pull the firmware from an advice took about 30 minutes to extract that firmware so you know sizable size but you know what we couldn't find in that firmware is any

kind of atc password to try and get the hash to them brute force that offline and so like the NT you are and started monitoring the device while we start moving around in a web interface again going back to the client of the command injection approach and what we found fortunately enough command injection in the network share folder area so find a nice little command injection managed to get et Cie password off the device which is cool when we try brute forcing it and it kind of we didn't have any luck with that so we couldn't crack hash which was frustrating especially when you see the hash the password is really really poor so I don't quite know what we've done

there without our dictionaries but what we knew though is we knew that the interface ran isre we could easily find the eyes so we find out if the interface runs is really why don't we just make our own user that's what we did so we use the interface to create and to turn on telnet and create ourselves a new user and then we can access the devices read and so I'm going to try and do that live with a nice little script I've got so it takes a little while to do this because for some reason device takes ages to respond and I can't remember whether or not I've rebooted it or not so it might take even longer

now what I need you schoolboy all right so I'm gonna leave that running a little bit it's essentially what he'll do is it will turn on telnet using that CGI command and then it takes ages and ages and ages waiting for it telnet to come up and then essentially what will happen is it will drop into a root shell but we do that it's just flick back to the presentation so once we got root we kind of realized that actually it would have been a lot easier if we just looks through firmware because written in the firmware it's the password for the root user we just grep for real and there's the password and you can see

what I wanna how do we not crack that really cool anyway we cracked it but um let's see if this is done name cool so I got root access on that building so it takes a little while is say but of course we've got we can see all of their PS commands and then we can have I made a spelling mistake so we've now got root on the dildo which obviously is completely pointless but it's quite funny anyway so yeah I mean our code is available for that if you want because on I get hub page and t2 if you find a dildo in a hotel you're staying at you two can get root on there

dildo and which ritual I'm sure it'll please you but it makes no difference for their life at all so yeah but you know in terms of general advice and yeah there's lots of lots of advice and some ways to kind of sort of can stuff but you know in essence the you know IOT attack surface is huge and if you are starting to kind of think about attacking IOT devices don't just think just about the device itself you need and the server side of it you need to kind of look at it all and also it's very important to try and pull that firmware from the device you know if we do would have really thought about it

and hadn't kind of tried to go the long way around we could have just crept through the firmware and find a root password and instantly access the device but certainly in terms of IAT the attack service is huge you know you've got all of the laughs you've got the API the web apps and all of the interfaces like Wi-Fi and Bluetooth and the firmware io port all of these different things and well IOT does have a really good opportunity for for customer grace and you know and I think there's a lot of benefits I owe t you know I think you know some of us in this room we've got Phillips here others have got other devices in their houses

and I bet we all really like them they're really useful they make our lives a little bit better so you know I think IOT has got his place but in security devices do have massive potential to damage the brand you know I'm Edwin Edmond yeah he was talking about the cloud pets attack you know IOT device made a huge difference that device that cloud pets device you could still buy it but it's such a ridiculously low price now that the company are not making any money they're literally trying to throw it up people to get rid of it because the device is compromised Kayla you know I'd although we talked about you know we totally and

utterly owned that and it was still talking about it now which is ridiculous that is in the in the the museum of failure which is really quite pleased about but not only that it's twenty-five thousand euro fine in Germany for owning one because it's an espionage device and so yeah there was a massive opportunity to damage your brand if you get it wrong couple of final thoughts iOS we've got some great advice both from an attacking point of view but also from a defending point of view and the IOT security foundation if you are looking to develop these devices make sure the outsource service provider which I'm thankfully you'll be using specifies security in them you know I think of this network

separation if you're implementing these devices it's fundamental really anyone who any of our guys who've got any IOT devices nine times out of ten I'll have it on a completely separate network very limited with what it can do because the reality is these devices can and will get compromised and test it you know it's did either by yourself if you're technically able to or employ someone to do that and but certainly you know if you are looking to test yourself look at that firmware lever look at the application layer look at the whole process and not just the actual device it's not it's not all kind of you know getting root on a dildo so

to speak um couple of questions to ask you know look at a pinning your SSL Certificates there ask there is some challenges against that but I think you still got a very valid place certainly on IOT devices look at what device the bait of the device stores a lot of these devices a nice drawing really really personal data now that's going to have an impact on the GDP are and certainly under the data protection act at the moment and so ed I mind if you're developing these devices what do you need to store and lastly make sure that you you sign and validate your firmware and it's very important to do that and it's not actually lastly the other the

last question is you know if someone stole one of these devices what could your users be compromised with and that's it most general device yeah a normal dildo and any questions I would probably imagine to be honest it's a really good point I've not really bothered buying a drain to test it but yeah you mentioned then they are because I mentioned they're probably using the same same firmware on on the device so yeah that would make sense good any other questions

most of me using arm I think I'll be honest I I don't know if it's of my head but most IITs is arm and and invariably Linux the Linux which is running on it it's some kind of a cut down version of busybox and invariably any other questions cool thank you very much